← back to blog

Securing Your MonoRouter Instance: API Keys, HTTPS, and Access Control

MonoRouter sits between your code and Claude. Here's how to lock it down so only authorized users can route through your sessions.

MonoRouter gives your Claude subscription an API-like interface. That's powerful — and it means security matters. If someone gets access to your MonoRouter endpoint, they can use your Claude sessions.

API Key Authentication

Every MonoRouter instance requires an API key for access. When you create an account, you get a unique API key that you set as your ANTHROPIC_API_KEY in your SDK configuration. MonoRouter validates this key on every request.

Your MonoRouter API key is not your Anthropic API key. It's a separate credential that MonoRouter uses to authenticate you. Your actual Claude sessions are managed server-side and never exposed to clients.

Configuring Your API Key

Set it as an environment variable so it's never hardcoded in your source:

# In your shell profile (~/.zshrc, ~/.bashrc)
export ANTHROPIC_API_KEY="mr_live_abc123"
export ANTHROPIC_BASE_URL="https://api.monorouter.dev/v1"

For project-level configuration, use a .env file and add it to .gitignore:

# .env (never commit this file)
ANTHROPIC_API_KEY=mr_live_abc123
ANTHROPIC_BASE_URL=https://api.monorouter.dev/v1
# .gitignore
.env
.env.local
.env.*.local

Per-Platform Best Practices

macOS / Linux — Use your shell profile or a tool like direnv for per-directory env vars:

# .envrc (auto-loaded by direnv when you cd into the project)
export ANTHROPIC_API_KEY="mr_live_abc123"
export ANTHROPIC_BASE_URL="https://api.monorouter.dev/v1"

CI/CD (GitHub Actions) — Store credentials as encrypted secrets:

env:
  ANTHROPIC_API_KEY: ${{ secrets.MONOROUTER_KEY }}
  ANTHROPIC_BASE_URL: https://api.monorouter.dev/v1

Docker — Pass environment variables at runtime, never bake them into the image:

# Don't do this:
# ENV ANTHROPIC_API_KEY=mr_live_abc123

# Do this at runtime:
# docker run -e ANTHROPIC_API_KEY=mr_live_abc123 myapp

Verifying Your Key Works

Quick check from the command line:

curl -s https://api.monorouter.dev/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "content-type: application/json" \
  -H "anthropic-version: 2023-06-01" \
  -d '{
    "model": "claude-sonnet-4-20250514",
    "max_tokens": 32,
    "messages": [{"role": "user", "content": "Say hello"}]
  }'

A 200 response means you're authenticated and routing through MonoRouter. A 401 means the key is invalid or missing.

HTTPS by Default

MonoRouter's hosted service runs over HTTPS with TLS 1.3. All communication between your SDK and MonoRouter is encrypted in transit. There's no option to use plain HTTP — we enforce HTTPS at the infrastructure level.

This means your prompts, responses, and API keys are encrypted on the wire. Even on a shared network, an attacker can't sniff your Claude conversations.

Session Isolation

Each MonoRouter account has its own session pool. Your sessions are never shared with other users. When you connect a Claude account to MonoRouter, only requests authenticated with your API key can use that session.

Recovery Codes

Your MonoRouter account is protected by a password and a set of recovery codes. Recovery codes are generated at signup and are the only way to regain access if you lose your password. We don't store your recovery codes — we store bcrypt hashes. Keep the originals safe.

Store your recovery codes securely:

MonoRouter Recovery Kit
========================
Account email: [email protected]
Generated:     2026-03-15

Recovery codes (each single-use):
  mrr-a1b2-c3d4
  mrr-e5f6-g7h8
  mrr-i9j0-k1l2
  mrr-m3n4-o5p6
  mrr-q7r8-s9t0
  mrr-u1v2-w3x4

Store in: password manager, printed copy in safe
Do NOT store in: plain text files, email, Slack messages

What We Don't Store

MonoRouter doesn't log your prompts or Claude's responses. We store metadata for rate limiting and usage tracking — timestamps, token counts, model names — but never the content of your conversations. Your intellectual property stays between your code and Claude.

Here's what we do and don't retain:

DataStored?Purpose
Prompt contentNo
Response contentNo
Model nameYesUsage analytics
Token countsYesQuota tracking
Request timestampsYesRate limiting
API key (hashed)YesAuthentication
Password (hashed)YesAuthentication
Recovery codes (hashed)YesAccount recovery